{ "id": "fe02418b-18d6-494b-885e-0f346e9cecc1", "created_at": "2026-04-06T00:17:03.558513Z", "updated_at": "2026-04-10T13:11:47.672325Z", "deleted_at": null, "sha1_hash": "7cb5c82b6ca00c42e02322d9f90f510ad1a25e29", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48231, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:03:15 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool XClient\n Tool: XClient\nNames XClient\nCategory Malware\nType Info stealer, Credential stealer\nDescription\n(Talos) The XClient stealer plugin performs anti-VM and anti-virus software checks on the\nvictim's machine. It executes its functions to collect the victim's browser data, including\ncookies, stored credentials, and financial information such as credit card details. It also collects\nthe victim’s data from social media accounts, including Facebook, Instagram, TikTok business\nads, and YouTube. It also collects the application data from the Telegram desktop and Discord\napplication on the victim's machine. The stealer plugin can capture screenshots of the victim’s\ndesktop and save them as a PNG file in the victim's machine’s temporary folder. With PNG\nfiles, the stealer plugin dumps the collected victim’s data from the browser and social media\naccounts in a text file and creates a ZIP archive. The PNG and ZIP files are exfiltrated to the\nattacker's Telegram bot C2.\nInformation Last change to this tool card: 18 June 2024\nDownload this tool card in JSON format\nAll groups using tool XClient\nChanged Name Country Observed\nOther groups\n CoralRaider 2023-Feb 2024\n1 group listed (0 APT, 1 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37bd4995-f8b8-4ee3-b310-1d1566d767ae\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37bd4995-f8b8-4ee3-b310-1d1566d767ae\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37bd4995-f8b8-4ee3-b310-1d1566d767ae\r\nPage 2 of 2\n\nOther groups CoralRaider 2023-Feb 2024 \n1 group listed (0 APT, 1 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37bd4995-f8b8-4ee3-b310-1d1566d767ae" ], "report_names": [ "listgroups.cgi?u=37bd4995-f8b8-4ee3-b310-1d1566d767ae" ], "threat_actors": [ { "id": "6b8c5ea0-a654-4b5c-b817-9e67b115059e", "created_at": "2024-04-19T02:00:03.625955Z", "updated_at": "2026-04-10T02:00:03.616114Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "MISPGALAXY:CoralRaider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a894c24-6f51-4863-9efb-7f1b3133c848", "created_at": "2024-06-20T02:02:10.260154Z", "updated_at": "2026-04-10T02:00:05.001393Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "ETDA:CoralRaider", "tools": [ "AsyncRAT", "LOLBAS", "LOLBins", "Living off the Land", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "RotBot", "XClient" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434623, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7cb5c82b6ca00c42e02322d9f90f510ad1a25e29.pdf", "text": "https://archive.orkl.eu/7cb5c82b6ca00c42e02322d9f90f510ad1a25e29.txt", "img": "https://archive.orkl.eu/7cb5c82b6ca00c42e02322d9f90f510ad1a25e29.jpg" } }